North Korea's Hackers responsible for Axios npm Hack says Google

Google Ties Axios npm Hack to North Korean Threat Group

Just days after the devastating software supply chain attack on the widely used Axios npm package, the cybersecurity community finally has an answer regarding who pulled the strings. Google Threat Intelligence Group has formally attributed the compromise to UNC1069, a sophisticated and financially motivated threat actor operating out of North Korea.

This revelation elevates the incident from a random act of digital vandalism to a calculated, state sponsored operation. Multiple major security firms, including Microsoft and CrowdStrike, have corroborated these findings, linking the activity to notorious North Korean sub groups like Sapphire Sleet and Stardust Chollima.

Here is a deep dive into the attribution, the evolved malware payload, and what this means for the future of open source security.

The Evolution of WAVESHAPER

When attackers hijacked the npm account of the lead Axios maintainer, they did not just drop a generic remote access trojan. They deployed a highly customized cross platform weapon.

According to forensic analysis from Google and Mandiant, the payload delivered via the malicious plain-crypto-js dependency is an upgraded backdoor known as WAVESHAPER.V2. This malware is a direct descendant of the original WAVESHAPER implant, which UNC1069 previously utilized in targeted campaigns against the cryptocurrency sector.

The new iteration brings significant upgrades to the table. While the original version relied on a basic binary communication protocol, WAVESHAPER.V2 communicates with its command and control servers using JSON. It actively collects detailed system information and supports a wider array of execution commands. Once embedded, the backdoor can terminate its own execution process, map out entire directory structures, run native scripts like PowerShell or AppleScript, and even decode and inject arbitrary payloads directly into memory.

For macOS environments specifically, CrowdStrike noted the deployment of a modernized variant of ZshBucket. The malicious macOS binaries contained developer build paths linking straight back to BlueNoroff's infamous "webT" module, which was heavily featured in the RustBucket and Hidden Risk malware campaigns of recent years.

The Financial Motive

Why would a nation state actor target a foundational JavaScript library? The answer comes down to revenue generation.

North Korean hacking collectives have a well documented history of leveraging supply chain attacks to infiltrate financial institutions, venture capital firms, and cryptocurrency exchanges. By poisoning a package with over 100 million weekly downloads, UNC1069 effectively cast the widest net possible.

While analysts have not yet observed immediate cryptocurrency theft stemming directly from this specific Axios breach, the overarching goal remains clear. Threat actors from the Democratic People's Republic of Korea are under strict mandates to generate capital. Security experts anticipate that financially motivated attacks will soon emerge from the initial access gained during this campaign.

A Scalable Blueprint

Perhaps the most alarming aspect of the Axios compromise is the level of operational maturity it demonstrates. Security researchers have pointed out that this incident should not be viewed as a one time anomaly. Instead, it serves as a highly scalable template for future attacks.

The threat actors executed their plan with surgical precision. They utilized compromised maintainer credentials, prepared cross platform payloads in advance, compromised both legacy and modern release branches within a 40 minute window, and built self destructing forensic cleanup mechanisms into the malware.

Furthermore, the attack spread beyond the initial npm registry almost instantly. Veracode discovered that an automated mirror package named @depup/axios republished the malicious code just 17 minutes after the initial release. This rapid mirroring means the infection likely bypassed standard registry takedowns and embedded itself deeper into global build pipelines before security teams could react.

Defending the Pipeline

The Axios attack is a stark reminder that trust is the biggest vulnerability in modern software development. The blast radius of a compromised core dependency is exponential, putting every downstream application at risk.

To defend against these advanced persistent threats, security teams must move from reactive patching to proactive supply chain defense. You must audit all package managers feeding your environments. Pin your dependencies to known safe versions in your lockfiles, strictly disable automatic lifecycle scripts during installation, and assume that any secrets exposed on an infected machine have already been exfiltrated.

Supply chain attacks are the new normal. Organizations that fail to harden their build pipelines today will inevitably face the consequences tomorrow.